From c30344475c1b1adb370b7e296bd2f95c23ea30c8 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sun, 12 Jan 2025 00:48:39 +0300
Subject: [PATCH] fix(tvl-headscale): restore default ACL policy

I omitted the `acls` section when adding the tag configuration. In "normal"
tailscale, emitting this is equivalent to putting the defaults there (i.e. all
traffic inside the tailnet is allowed), however in headscale it defaults to
blocking everything instead.

This meant that internal tailnet traffic wasn't really working correctly anymore.

Change-Id: Ic37504e9a8a97b9f8eb3ac173c88201aef1c044a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12972
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
---
 ops/modules/tvl-headscale.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ops/modules/tvl-headscale.nix b/ops/modules/tvl-headscale.nix
index 6d513b09f..2d9cf4e05 100644
--- a/ops/modules/tvl-headscale.nix
+++ b/ops/modules/tvl-headscale.nix
@@ -16,6 +16,12 @@
 
 let
   acl = with builtins; toFile "headscale-acl.json" (toJSON {
+    acls = [{
+      action = "accept";
+      src = [ "*" ];
+      dst = [ "*:*" ];
+    }];
+
     groups."group:builders" = [ "tvl" "tvl-builders" ];
     tagOwners."tag:builders" = [ "group:builders" ];
   });